<div dir="ltr">I use XKCD passwords <a href="http://xkcd.com/936/">http://xkcd.com/936/</a><div><br></div><div style>I've been pleasantly surprised to find most of the services I care about don't complain about my 30+ character passwords. I really wish they would be smarter about entropy measurement rather than just insisting on some stupid rules be satisfied.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Mar 4, 2013 at 12:58 PM, Michael H. Warfield <span dir="ltr"><<a href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Mon, 2013-03-04 at 12:38 -0500, Ron Frazier (ALE) wrote:<br>
><br>
> "Michael H. Warfield" <mhw@WittsEnd.com> wrote:<br>
><br>
> >On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:<br>
> >> Hi all,<br>
> ><br>
> >> I first saw the link to this article on the dc404 mailing list. If<br>
> >you're an evernote user, you need to know about this.<br>
> ><br>
> >> <a href="http://www.theverge.com/2013/3/2/4056704/evernote-password-reset" target="_blank">http://www.theverge.com/2013/3/2/4056704/evernote-password-reset</a><br>
> ><br>
> >If you are an Evernote user, you need to change your password. The<br>
> >attackers had access to user-id's and password hashes. The passwords<br>
> >where hashed and salted but simple passwords are still subject to<br>
> >off-line brute force and rainbow table attacks. Change your password<br>
> >to<br>
> >a good, high complexity, password or passphrase.<br>
> ><br>
<br>
> Do you think a 15 character random alphanumeric generated by Lastpass is good enough? Or, should you go longer if the site will let you?<br>
<br>
</div>That's probably reasonable although my personal preference is for pass<br>
phrases. I take several words (jaberwocky style) and mix in some<br>
numbers and punctuation. Much easier to remember and type (especially<br>
on a smart phone) and very much easier to remember.<br>
<br>
I run into more dain-bramaged sites that don't allow punctuation than<br>
really limit the length but there are some still out there that haven't<br>
gotten the memo and restrict your length to negligently short lengths.<br>
<div class="HOEnZb"><div class="h5"><br>
> >MOST IMPORTANT! This is NOT mentioned in the article quoted, but...<br>
> >If<br>
> >you used the same user id (E-Mail address) or similar and the same<br>
> >password on other sites, change all of them and use different passwords<br>
> >on each. It is not uncommon for someone to use the same password and<br>
> >id<br>
> >on different sites. It is equally not uncommon for attackers to KNOW<br>
> >THIS and, once they break your password on one site, to use a common,<br>
> >broken, password to attack other sites. That includes sites with other<br>
> >common variations on your user id.<br>
> ><br>
><br>
> I've known this for some time, but only recently went to the trouble to do it, after Linkedin had their break in. I'm now using Lastpass, which is a good way to keep track of many different passwords for different sites. (I know there are other solutions too.) It was a major pain to go to every site I had and go through the password change procedure, especially because, for the ones that were already different, I had to look them up. However, every one is now different and random. Every time I generate a new password for a new site, or change one on an old site, I let Lastpass handle it. The password vault is secured by a master password that you don't give out online. If anyone is interested, I can post my recommended settings for Lastpass preferences. You can use the service for free on PC's, but have to pay a modest fee for Premium service to use on mobile devices. I pay the fee, and am glad to support their continued development.<br>
><br>
> >> Sincerely,<br>
> ><br>
> >> Ron<br>
> ><br>
> >Regards,<br>
> >Mike<br>
> ><br>
> ><br>
> >--<br>
> >Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
> >/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> |<br>
> ><a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
> >NIC whois: MHW9 | An optimist believes we live in the best of<br>
> >all<br>
> >PGP Key: 0x674627FF | possible worlds. A pessimist is sure of<br>
> >it!<br>
> ><br>
> ><br>
> ><br>
><br>
> --<br>
><br>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.<br>
> Please excuse my potential brevity if I'm typing on the touch screen.<br>
><br>
> (PS - If you email me and don't get a quick response, you might want to<br>
> call on the phone. I get about 300 emails per day from alternate energy<br>
> mailing lists and such. I don't always see new email messages very quickly.)<br>
><br>
> Ron Frazier<br>
> <a href="tel:770-205-9422" value="+17702059422">770-205-9422</a> (O) Leave a message.<br>
> linuxdude AT <a href="http://techstarship.com" target="_blank">techstarship.com</a><br>
><br>
><br>
<br>
--<br>
Michael H. Warfield (AI4NB) | <a href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a> | mhw@WittsEnd.com<br>
/\/\|=mhw=|\/\/ | <a href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a> | <a href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!<br>
</div></div><br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>.!# RichardBronosky #!.
</div>